LetsEncrypt plugin v1.3.0 RELEASED

Dear community,

A new version of the LetsEncrypt plugin has just been released:

CHANGELOG

• Added: `include_altnames` configuration parameter (Closes: #IP-1657)
• Added: Support for i-MSCP control panel and services SSL certificates
• Fixed: Enforce non-interactive debconf frontend to avoid confusing debug log
• Fixed: Installation fail due to missing certbot `--non-interactive' command line option (regression fix)
• Fixed: Syntax error in SQL statement (iMSCP_Plugin_LetsEncrypt::afterDeleteCustomer() event listener)

Once registered on our forums, you can purchase this plugin at: https://i-mscp.net/index.php/PaidSubscriptionList/

Update notes regarding this new version

I. Let's Encrypt SSL certificates for the control panel and services (FTP, IMAP/POP and SMTP)

The plugin is now able to handle issuance of SSL certificates for the control panel and/or services. To enable Let's Encrypt for the control panel and/or services you must in order:

• Enable SSL on i-MSCP side for the control panel and/or services, by choosing the self-signed SSL certificate option
• Connect as administrator to the control panel
• Activate Let's Encrypt for the control panel and/or services through the administrator's Let's Encrypt interface

The link for accessing the administrator's Let's Encrypt interface is available in the settings page.

Note that it is important to not disable this plugin when updating/reconfiguring i-MSCP because there is an event listener that replace the default SSL certificates by the Let's Encrypt SSL certificates. If the LetsEncrypt plugin is disabled, the event listener will not be triggered and so, the SSL certificates won't be replaced.

Be aware that this feature is still experimental.

Regarding SSL certificate for the control panel

Note that after enabling Let's Encrypt for the control panel, you may have to close and re-open your browser. Indeed, in some cases, the newly created SSL certificate is not loaded after a simple page refresh.

Note for PanelRedirect plugin users

If you use the PanelRedirect plugin, you must ensure that you have a version greater or equal to 1.1.5, else, the domain validations will fail.

II. SSL for alternative URL

Support for alternative URLs has been added. You can enable it by setting the include_altnames configuration parameter to true in the plugin configuration file. Once done, don't forget to trigger a plugin list update.

Before enabling support for alternative URLs, be sure that your DNS server can resolve names for them. If you use an external DNS server, this is generally achieved by adding a wildcard DNS resource record such as

where <panel.domain.tld> is the domain used for accessing the i-MSCP control panel and <server.ip>, the primary IP address of the i-MSCP server.

Be aware that this parameters acts only for new issuances and renewals.

WARNING

There is some limitations in current implementation regarding SSL certificates for the panel and services:

• You cannot presently enable Let's Encrypt for the panel and/or services if the domain for the panel and the services is identical
• You cannot presently enable Let's Encrypt for the panel if the domain for the panel is also added as customer domain or subdomain

In both cases, you will have SQL error. These issues will be fixed in next version which will be released in few hours.

@theqkash @UncleSam

I'll contact you both before releasing for testing if you're ok.

Another bug has just been found. When enabling Let's Encrypt for a customer domain, subdomain... The SSL certificate is generated but the Apache2 vhost (for SSL) is not created. This is due to a misplaced SQL statement in the plugin backend file that prevents update of domain status and therefore, the creation of the required vhost.

@abs0lut3 (and some others) It is useless to make presure on our head. When we work under presure, we cannot test all correctly and some bugs as those above are introduced.

Thank you for your understanding.

CHANGELOG for the coming version:

Updated:

CHANGELOG will be as follow (version bump)

Tests are in progress...

SSL for alternative URLs

You can enable support for alternative URLs by setting the `include_altnames` configuration parameter to`true` in the plugin configuration file. Once done, don't forget to trigger a plugin list update.

Be aware that this parameters acts only for new SSL certificate issuances.

Warning regarding this feature

Due to the current Let's Encrypt rate limits, it is not recommended to enable this feature. Indeed, each SSL certificate issuance for which a SAN is added for an alternative URL will hits the Certificate per Registered Domain limit (20 per week) for the control panel domain. This explain why this feature is turned off by default.

Note that alternative URLs as provided by i-MSCP are meant to allow the customer to access his domain for DNS propagation time. These URLs should not be exposed publicly.

1.4.0 on the road We will enter in second testing phase soon. (tests by customers).

@UncleSam

In the log below, you can see the expand action (adding a SAN in the SSL certificate) and the shrink action (Removing a SAN from the SSL certificate). The domain name here is used for the control panel and also as a customer subdomain.

EXPAND action

SHRINK action

Note that the shrink action requires the removal of current SSL certificate lineage. This is due to the fact that current version of Certbot create another SSL certificate lineage with arbitrary name which is an annoying behavior. This will be fixed in Cerbot 0.10.x normally (We will be able to target a specific lineage).